b"                    RESULTS OF KPMG VULNERABILITY \n\n                   TECHNOLOGY SECURITY ASSESSMENT \n\n                          AUDIT NUMBER 7-16 \n\n\n                                     MARCH 6, 2007 \n\n\n\n\n\nThis report may contain proprietary information subject to the provisions of 18 USC 1905 and\nmust not be released to the public or another agency without permission of the Office of\nInspector General.\n\x0c                        u.s. SMALL BUSINESS ADMINISTRATION\n                            OFFICE OF INSPECTOR GENERAL\n                                WASHINGTON, D.C. 20416\n\n\n                                           March 6, 2007\n\nTo:            Christine Liu\n               Chief Information Officer\n\n\nFrom:          Debra Ritt\n               Assistant Inspector General for Auditing\n\nSubject:       Results ofKPMG's Information Technology Security Assessment\n\nAttached is the report on the results of an Information Technology Security Assessment issued\nby KPMG LLP, which identifies entity-wide security vulnerabilities that were identified during\nits audit of SBA' s FY 2006 financial statements. Due to sensitive information contained within\nthis report, the report will not be released to the public.\n\nThe audit was performed under a contract with the Office of Inspector General (OIG) and in\naccordance with Generally Accepted Government Auditing Standards; Office of Management\nand Budget's (OMB) Bulletin 06-03, Audit Requirements for Federal Financial Statements, the\nGovernment Accountability Office (GAO)/President's Council on Integrity and Efficiency\n(PCIE) Financial Audit Manual and GAO's Federal Information System Controls Audit Manual.\n\nSBA generally agreed with the findings and recommendations and provided target completion\ndates for all 7 recommendations made by KPMG. We plan to track SBA's implementation of\nKPMG's recommendations through the audit follow-up process.\n\nWe appreciate the courtesies and cooperation of the Small Business Administration\nrepresentatives during this audit. If you have any questions concerning this report, please call\nme at (202) 205- [Exemption 2] or leffBrindle, Director of the Financial Management and\nInformation Technology group, at (202) 205- [Exemption 2].\n\nAttachment\n\x0cUNITED STATES SMALL BUSINESS ADMINISTRATION \n\n\n\n\n\n     FY 2006 FINANCIAL STATEMENT AUDIT \n\n\n\n\n\n        Results of the Information Technology \n\n         Security Vulnerability Assessment \n\n\n\n\n         Contract Number - 43-3151-5-2003 \n\n\n\n      Task Order Number - AG-3151-D-06-0088 \n\n\n\n\n\n                --FINAL REPORT-\xc2\xad\n\n                   March 1, 2007\n\x0c                             Limited Official Use - Sensitive\n                                                                                      Page 1\n\n\nResults In Brief   The Small Business Administration (SBA) Office of Inspector General\n                   (OIG) contracted with KPMG LLP to perform the FY 2006 external\n                   and internal vulnerability assessment in support of the fiscal year 2006\n                   fmancial statement audit for SBA. As a result, KPMG performed a\n                   limited vulnerability assessment to assess the security controls for key\n                   SBA network devices and related device operating software. The\n                   scope of the review included key SBA' s internal network devices and\n                   systems (i.e., available from within the SBA network), and external\n                   network devices and systems (i.e., available over the Internet).\n                   Information security is a critical control element for SBA, both from a\n                   financial processing perspective and an operational perspective.\n\n                   The purpose of a vulnerability assessment was to test the\n                   implementation of information security controls for key network and\n                   system devices supporting financial and administrative processing\n                   activities. To perform this review, KPMG information security analysts\n                   utilized several automated assessment tools and their knowledge of\n                   known security exploits to identify potential security vulnerabilities.\n                   The SBA Office of Chief Information Officer (OCIO) and IT security\n                   (ITSEC) personnel were aware of our review efforts at all times, and\n                   critical issues were communicated to SBA personnel as they were\n                   identified. All results of the testing have been communicated to the\n                   appropriate management officials within OCIO, the Office of the Chief\n                   Financial Officer (OCFO) and the Office of the Chief Operating\n                   Officer (OCOO).\n\n\n                      [The remainder of this page\n                       and all of pages 2, 3 & 4\n                      are redacted in accordance\n                           with Exemption 2]\n\x0c                                                      APPENDIX I \n\n                                                           Page 1 \n\n\n                                           MANAGEMENT COMMENTS\n\n\n\n\n[Pages 1 thru 5 redacted in accordance with \n\n                Exemption 2] \n\n\n\n\n\n             Limited Official Use - Sensitive\n\x0c                                                                                                                                      APPENDIX II \n\n\n\n\n\nREPORT DISTRIBUTION\n\n\nRecipient                                                                                                              No. of Copies\n\nOffice of the Chief Financial Officer \n\nAttention: Jeffrey Brown ......... .... .... ...... ..... .............. .... ... .... ......................... 1 \n\n\nGeneral Counsel .... ....... .... ..... ... ........................... .. ....... ................ .... ... ...... .............. .3 \n\n\nOffice of Management and Budget.. ................................... ..... ..... .. ............ ... ..... ..... 1 \n\n\nu.s. Government Accountability Office ....... ..... ... ...... ... ............ ...... ....... ....... ... ...... 1 \n\n\x0c"